WIndows Updates Fail Via IPv6 - Update!

Saku Ytti saku at ytti.fi
Mon Mar 4 08:13:53 UTC 2019


On Mon, Mar 4, 2019 at 10:02 AM Mark Tinka <mark.tinka at seacom.mu> wrote:

> > Can we make a short rule that says: For ICMP, *ALLOW* *ALL* unless you do have a very specific and motivated reason to block some types.
> > I would even go as far as "allow all icmp from any to any" (and if possible as the first firewall rule), but I do understand that may make some people have hives.
>
> Not to be the wet blanket, but we've be crying about this since before I
> knew what CLI meant, and it either didn't work or has gotten even worse.
> That is how we ended up with all manner of hacks to work around failure
> to reliably deliver PTB messages.

Not just ICMP but everything. We've designed these nice extendible
protocols, but we've configured network so that we can't extend them.
Like why is QUIC riding on UDP, instead of having its own L4 protocol
number. Because of HTTP/3 majority of Internet traffic will be UDP,
and due to its reflection potential in other applications that is not
obvious net win. We should just retire UDP with status of 'trusted
network only L4' and use something like QUIC for all untrusted L4
applications, where we've thought about issues like reflection.


-- 
  ++ytti



More information about the NANOG mailing list